CVE-2025-4341 – This critical vulnerability in D-Link DIR-880L ... (How to Fix)

Q: What is the severity of CVE-2025-4341?

CVE-2025-4341 has a CVSS score of 6.3 (MEDIUM). This critical vulnerability in D-Link DIR-880L routers allows remote attackers to execute arbitrary commands by manipulating HTTP headers. The command injection vulnerability affects the Request Header Handler component and can be exploited without authentication. Only unsupported D-Link DIR-880L routers are affected.

📋 TL;DR

This critical vulnerability in D-Link DIR-880L routers allows remote attackers to execute arbitrary commands by manipulating HTTP headers. The command injection vulnerability affects the Request Header Handler component and can be exploited without authentication. Only unsupported D-Link DIR-880L routers are affected.

💻 Affected Systems

Products:

D-Link DIR-880L

Versions: Up to firmware version 104WWb01

Operating Systems: Embedded Linux (router firmware)

Default Config Vulnerable: ⚠️ Yes

Notes: All affected devices are end-of-life with no vendor support. Default configurations are vulnerable.

📦 What is this software?

Dir 880l Firmware by Dlink

View all CVEs affecting Dir 880l Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise allowing attacker to install persistent backdoors, intercept network traffic, pivot to internal networks, or brick the device.

🟠

Likely Case

Router takeover enabling traffic interception, DNS hijacking, credential theft, and lateral movement to connected devices.

🟢

If Mitigated

Limited impact if device is isolated behind firewalls with strict egress filtering and network segmentation.

🌐 Internet-Facing: HIGH - Remote exploitation without authentication makes internet-facing devices immediate targets.

🏢 Internal Only: MEDIUM - Internal attackers or malware could exploit this to pivot through networks.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit code available on GitHub. Remote exploitation requires no authentication. Simple HTTP request manipulation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: None - product is end-of-life

Vendor Advisory: https://www.dlink.com/

Restart Required: No

Instructions:

No official patch available. D-Link has ended support for DIR-880L. Replace with supported hardware.

🔧 Temporary Workarounds

Network Isolation

all

Place affected routers behind firewalls with strict inbound filtering

Disable Remote Management

all

Turn off WAN-side administration access if enabled

🧯 If You Can't Patch

Immediately replace affected routers with supported models
Segment affected devices in isolated VLANs with strict firewall rules

🔍 How to Verify

Check if Vulnerable:

Check router firmware version via web interface at 192.168.0.1 or 192.168.1.1. If version is 104WWb01 or earlier, device is vulnerable.

Check Version:

curl -s http://192.168.0.1/ | grep -i firmware || ssh admin@router 'cat /etc/version'

Verify Fix Applied:

Cannot verify fix as no patch exists. Only verification is hardware replacement.

📡 Detection & Monitoring

Log Indicators:

Unusual HTTP requests to /htdocs/ssdpcgi with manipulated ST, REMOTE_ADDR, REMOTE_PORT, or SERVER_ID headers
Unexpected command execution in system logs

Network Indicators:

HTTP requests to router with unusual header values
Outbound connections from router to unexpected destinations

SIEM Query:

source="router_logs" AND (uri="/htdocs/ssdpcgi" AND (header="HTTP_ST" OR header="REMOTE_ADDR" OR header="REMOTE_PORT" OR header="SERVER_ID"))

📊 Metadata

CVE ID: CVE-2025-4341

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

EPSS Score: 0.14% exploit probability (34.5th percentile)

Published: May 6, 2025

Last Updated: May 13, 2025

🔗 References

https://github.com/CH13hh/tmp_store_cc/blob/main/DIR-880L/1.md Broken Link
https://vuldb.com/?ctiid.307459 Permissions Required,VDB Entry
https://vuldb.com/?id.307459 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.556433 Third Party Advisory,VDB Entry
https://www.dlink.com/ Product
https://github.com/CH13hh/tmp_store_cc/blob/main/DIR-880L/1.md Broken Link

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-4341, you might also want to check these: